From billreid at shaw.ca Wed Feb 3 15:54:50 2010 From: billreid at shaw.ca (Bill Reid) Date: Wed, 03 Feb 2010 15:54:50 -0600 Subject: [*] Cisco Partner Training - Feb 24 Edmonton Message-ID: <4B69F0AA.4080901@shaw.ca> http://imeconnected.ingrammicro.ca/content/cisco/20100112/Header1.jpg Date & Time: Wednesday, February 24, 2010 @ 11:30am Where: Edmonton Petroleum Club 11110 - 108th Street Edmonton Alberta T5G 2T2 (708) 474- 3411 Get directions Agenda: Registration & Lunch 11:30am ? 12:30pm Presentation 12:30am ? 2:00pm Social networking/Prize Draw 2:00pm ? 2:30pm Are you looking to grow your profit margin with Cisco solutions? Are you interested in offering your customers new solutions like VoIP and Unified Communications, Virtualization and Servers? Have you heard about the new Cisco Small Business PRO Products? Would you like to learn more about Cisco?s Data Centre Solutions and Servers? *If you can answer YES to any of these questions, Click here to keep reading! * http://imeconnected.ingrammicro.ca/content/cisco/20100112/Footer_01.gif http://imeconnected.ingrammicro.ca/content/cisco/20100112/Footer_02.gif Click to Register An account with Ingram Micro is not required to attend this event. For more details please call Derek Quesnel, Cisco Sales Specialist 1 (800) 668-3450 x54306 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.muug.mb.ca/pipermail/asterisk/attachments/20100203/26576b21/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Header1.jpg Type: image/jpeg Size: 152236 bytes Desc: not available Url : http://www.muug.mb.ca/pipermail/asterisk/attachments/20100203/26576b21/attachment-0001.jpg -------------- next part -------------- A non-text attachment was scrubbed... Name: Footer_01.gif Type: image/gif Size: 18532 bytes Desc: not available Url : http://www.muug.mb.ca/pipermail/asterisk/attachments/20100203/26576b21/attachment-0002.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: Footer_02.gif Type: image/gif Size: 3284 bytes Desc: not available Url : http://www.muug.mb.ca/pipermail/asterisk/attachments/20100203/26576b21/attachment-0003.gif From billreid at shaw.ca Wed Feb 3 15:55:28 2010 From: billreid at shaw.ca (Bill Reid) Date: Wed, 03 Feb 2010 15:55:28 -0600 Subject: [*] Cisco Partner Training - Feb 23 CALGARY Message-ID: <4B69F0D0.8060906@shaw.ca> http://imeconnected.ingrammicro.ca/content/cisco/20100112/Header1.jpg Date & Time: Tuesday, February 23, 2010 @ 5:00pm Where: Q Haute cuisine Upper Level, 100 LaCaille Place 7th Street & 1st Avenue SW Calgary, AB T2P 5E2 (403) 262-5554 www.qhautecuisine.com Agenda: Registration & Dinner 5:00pm ? 6:00pm Presentation 6:00pm ? 7:30pm Social networking 7:30pm ? 8:00pm Are you looking to grow your profit margin with Cisco solutions? Are you interested in offering your customers new solutions like VoIP and Unified Communications, Virtualization and Servers? Have you heard about the new Cisco Small Business PRO Products? Would you like to learn more about Cisco?s Data Centre Solutions and Servers? *If you can answer YES to any of these questions, Click here to keep reading! * http://imeconnected.ingrammicro.ca/content/cisco/20100112/Footer_01.gif http://imeconnected.ingrammicro.ca/content/cisco/20100112/Footer_02.gif Click to Register An account with Ingram Micro is not required to attend this event. For more details please call Derek Quesnel, Cisco Sales Specialist 1 (800) 668-3450 x54306 *Cisco Small Business PRO Sales Support* 1-877-219-4278 PIN number: 104951 *_https://www.myciscocommunity.com/community/smallbizsupport/partnerzone/pds_ * * * *Cisco Small Business Technical Support: *1-866-606-1866 *Cisco SMB Partners Community Forum* https://www.myciscocommunity.com/community/partner/smallmediumbusiness (Partner) https://www.myciscocommunity.com/community/smallbizsupport (Anyone) *Warranty* _http://www.cisco.com/en/US/prod/warranty_qa_guest.html_ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.muug.mb.ca/pipermail/asterisk/attachments/20100203/88675787/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Header1.jpg Type: image/jpeg Size: 152236 bytes Desc: not available Url : http://www.muug.mb.ca/pipermail/asterisk/attachments/20100203/88675787/attachment-0001.jpg -------------- next part -------------- A non-text attachment was scrubbed... Name: Footer_01.gif Type: image/gif Size: 18532 bytes Desc: not available Url : http://www.muug.mb.ca/pipermail/asterisk/attachments/20100203/88675787/attachment-0002.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: Footer_02.gif Type: image/gif Size: 3284 bytes Desc: not available Url : http://www.muug.mb.ca/pipermail/asterisk/attachments/20100203/88675787/attachment-0003.gif From sean at ertw.com Wed Feb 10 10:49:28 2010 From: sean at ertw.com (Sean Walberg) Date: Wed, 10 Feb 2010 10:49:28 -0600 Subject: [*] And Google becomes a carrier Message-ID: http://googleblog.blogspot.com/2010/02/think-big-with-gig-our-experimental.html -- Sean Walberg http://ertw.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.muug.mb.ca/pipermail/asterisk/attachments/20100210/0c7fadba/attachment.html From john at johnlange.ca Wed Feb 17 15:38:53 2010 From: john at johnlange.ca (John Lange) Date: Wed, 17 Feb 2010 15:38:53 -0600 Subject: [*] Security Alert: Dial string injection vulnerability in all Asterisk versions. Message-ID: <1266442733.3837.227.camel@linux-k6vx.site> Apparently there is a serious vulnerability in many dial plans which is roughly the Asterisk equivalent of a SQL injection. If you are doing anything similar to this: exten => _X.,1, Then you may have a serious problem. Take a look at this post for more information. http://www.voip-forum.com/?p=241&preview=true -- John Lange http://www.johnlange.ca From john at johnlange.ca Fri Feb 19 09:39:18 2010 From: john at johnlange.ca (John Lange) Date: Fri, 19 Feb 2010 09:39:18 -0600 Subject: [*] [Fwd: [asterisk-dev] AST-2010-002: Dialplan injection vulnerability] Message-ID: <1266593958.3837.314.camel@linux-k6vx.site> -------- Forwarded Message -------- From: Asterisk Security Team Reply-to: Asterisk Developers Mailing List To: asterisk-dev at lists.digium.com Subject: [asterisk-dev] AST-2010-002: Dialplan injection vulnerability Date: Thu, 18 Feb 2010 17:46:21 -0600 Asterisk Project Security Advisory - AST-2010-002 +------------------------------------------------------------------------+ | Product | Asterisk | |----------------------+-------------------------------------------------| | Summary | Dialplan injection vulnerability | |----------------------+-------------------------------------------------| | Nature of Advisory | Data injection vulnerability | |----------------------+-------------------------------------------------| | Susceptibility | Remote Unauthenticated Sessions | |----------------------+-------------------------------------------------| | Severity | Critical | |----------------------+-------------------------------------------------| | Exploits Known | Yes | |----------------------+-------------------------------------------------| | Reported On | 10/02/10 | |----------------------+-------------------------------------------------| | Reported By | Hans Petter Selasky | |----------------------+-------------------------------------------------| | Posted On | 16/02/10 | |----------------------+-------------------------------------------------| | Last Updated On | February 18, 2010 | |----------------------+-------------------------------------------------| | Advisory Contact | Leif Madsen < lmadsen AT digium DOT com > | |----------------------+-------------------------------------------------| | CVE Name | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | A common usage of the ${EXTEN} channel variable in a | | | dialplan with wildcard pattern matches can lead to a | | | possible string injection vulnerability. By having a | | | wildcard match in a dialplan, it is possible to allow | | | unintended calls to be executed, such as in this | | | example: | | | | | | exten => _X.,1,Dial(SIP/${EXTEN}) | | | | | | If you have a channel technology which can accept | | | characters other than numbers and letters (such as SIP) | | | it may be possible to craft an INVITE which sends data | | | such as 300&Zap/g1/4165551212 which would create an | | | additional outgoing channel leg that was not originally | | | intentioned by the dialplan programmer. | | | | | | Usage of the wildcard character is common in dialplans | | | that require variable number length, such as European | | | dial strings. | | | | | | Please note that this is not limited to an specific | | | protocol or the Dial() application. | | | | | | The expansion of variables into | | | programmatically-interpreted strings is a common | | | behavior in many script or script-like languages, | | | Asterisk included. The ability for a variable to | | | directly replace components of a command is a feature, | | | not a bug - that is the entire point of string | | | expansion. | | | | | | However, it is often the case due to expediency or | | | design misunderstanding that a developer will not | | | examine and filter string data from external sources | | | before passing it into potentially harmful areas of | | | their dialplan. With the flexibility of the design of | | | Asterisk come these risks if the dialplan designer is | | | not suitably | | | cautious as to how foreign data is allowed to continue | | | into the system. | | | | | | This security release is intended to raise awareness of | | | how it is possible to insert malicious strings into | | | dialplans, and to advise developers to read the best | | | practices documents so that they may easily avoid these | | | dangers. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | One resolution is to wrap the ${EXTEN} channel variable | | | with the FILTER() dialplan function to only accept | | | characters which are expected by the dialplan programmer. | | | The recommendation is for this to be the first priority | | | in all contexts defined as incoming contexts in the | | | channel driver configuration files. | | | | | | Examples of this and other best practices can be found in | | | the new README-SERIOUSLY.bestpractices.txt document in | | | the top level folder of your Asterisk sources. | | | | | | Asterisk 1.2.40 has also been released with a backport of | | | the FILTER() dialplan function from 1.4 in order to | | | provide the tools required to resolve this issue in your | | | dialplan. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release Series | | |------------------------------+----------------+------------------------| | Asterisk Open Source | 1.2.x | All versions | |------------------------------+----------------+------------------------| | Asterisk Open Source | 1.4.x | All versions | |------------------------------+----------------+------------------------| | Asterisk Open Source | 1.6.x | All versions | |------------------------------+----------------+------------------------| | Asterisk Business Edition | B.x.x | All versions | |------------------------------+----------------+------------------------| | Asterisk Business Edition | C.x.x | All versions | |------------------------------+----------------+------------------------| | Switchvox | None | No versions affected | +------------------------------------------------------------------------+ +---------------------------------------------------------------------------------------------+ | Document | |---------------------------------------------------------------------------------------------| | SVN URL |Branch| |--------------------------------------------------------------------------------------+------| |http://svn.asterisk.org/svn/asterisk/branches/1.2/README-SERIOUSLY.bestpractices.txt |v1.2 | |--------------------------------------------------------------------------------------+------| |http://svn.asterisk.org/svn/asterisk/branches/1.4/README-SERIOUSLY.bestpractices.txt |v1.4 | |--------------------------------------------------------------------------------------+------| |http://svn.asterisk.org/svn/asterisk/branches/1.6.0/README-SERIOUSLY.bestpractices.txt|v1.6.0| |--------------------------------------------------------------------------------------+------| |http://svn.asterisk.org/svn/asterisk/branches/1.6.1/README-SERIOUSLY.bestpractices.txt|v1.6.1| |--------------------------------------------------------------------------------------+------| |http://svn.asterisk.org/svn/asterisk/branches/1.6.2/README-SERIOUSLY.bestpractices.txt|v1.6.2| +---------------------------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |------------------------------------------+-----------------------------| | Open Source Asterisk | 1.2.40 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | https://issues.asterisk.org/view.php?id=16810 | | | | | | https://issues.asterisk.org/view.php?id=16808 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2010-002.pdf and | | http://downloads.digium.com/pub/security/AST-2010-002.html | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |-----------------+--------------------+---------------------------------| | 16/02/10 | Leif Madsen | Initial release | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - AST-2010-002 Copyright (c) 2010 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- John Lange http://www.johnlange.ca From bcole at plumcom.ca Fri Feb 19 12:19:23 2010 From: bcole at plumcom.ca (Bruce Cole) Date: Fri, 19 Feb 2010 13:19:23 -0500 Subject: [*] Asterisk Digium Canada Conference speaker Schedule finalized for April 7, 2010 In-Reply-To: <31226650B4DA4AFFB5057097706C2BB4@plumcom.local> References: <31226650B4DA4AFFB5057097706C2BB4@plumcom.local> Message-ID: Wow, we just completed the schedule for the conference being held at the Metro Toronto Convention Centre on April 7, 2010. Here's the summary: Speakers: Kevin Fleming, Open Telephony takes Enterprise by Storm! Chad Barth: Asterisk in Elections: 2008 presidential Primaries and beyond cast study (40 million calls in 6 months) Steve Sokol: How Open Source Communication Solutions Can Increase ROI And Slash TCO Matt Florell: Open source call centres! 40 seats, 200 seats case study Jeronimo Romero: Mission critical asterisk on the trading floor. High Availability Open Source Telephony / Asterisk on the Stock Exchange Trading Floor. SuperPanel John Todd, Lief Madsen, and other speakers discussing the issues of the day, such as virtual hosting, Security and Mobility. Followed by a TAUG membership meeting. http://www.it360.ca/index.cfm?pagepath=Asterisk/Conference&id=14718 (full details will be online in a week. I just wanted to get this out to you ASAP.) To register use code HSC50 and you will receive a 50% discount on the regular registration fee. So for early bird rate, the actual cost would be $274.50 plus GST. This is a special rate for folks traveling great distances to attend. https://myprereg.com/Registration.aspx?show=98&website=52&Page=INTRO For further info, call Norma Gibbs at 888.823.7586 or 905-695-0123 x214. BTW, Reza M. Reza was most helpful in pulling this together for 2010. Submitted by Bruce Cole From billreid at shaw.ca Tue Feb 23 17:43:43 2010 From: billreid at shaw.ca (Bill Reid) Date: Tue, 23 Feb 2010 17:43:43 -0600 Subject: [*] March meeting Message-ID: <4B84682F.2080705@shaw.ca> Hi All, I have nothing on the agenda for our next week meeting(Mar 2nd). Let me know if you have something to demo or talk about. Thanks, Bill From billreid at shaw.ca Sun Feb 28 12:00:28 2010 From: billreid at shaw.ca (Bill Reid) Date: Sun, 28 Feb 2010 12:00:28 -0600 Subject: [*] Mar 2nd meeting cancelled Message-ID: <4B8AAF3C.4090806@shaw.ca> Hi All, I have not heard from anyone about topics for the agenda and since I have none I am proposing that the meeting be cancelled. -- Bill